Netsclaer application firewall function test

The new version of critix netsclaer Server Load balancer provides the application firewall function. The official description is no different from the application firewall provided by other vendors and is a comprehensive defense. Let me test it.

Purpose: 1. application firewallSQL injection, XSS, and CRSF functional defense.

2. Enable the application firewall function, resulting in performance overhead.

 

Basic configuration process:

Enable application firewall:

Systems> Settings> Change basic features. Check Application Firewall.

Configure profiles:

Application Firewall> Profiles. One processing action must be configured.

By default, four profiles are available:

Appfw_block: Return to the specified page

Appfw_bypass: ignore-Allow request

Appfw_drop: discards the request and does not return any information.

Appfw_reset: resets the connection.

New policy:

Application Firewall> Policies must have one policy associated with profiles. The policy should be defined by yourself !!! No Default policy !!!

Application policy:

Application Firewall> Policies, select one policy, and click Global Bindings

Procedure:

1. Systems> Settings> Change basic features. Select Application Firewall.

2. Create: Application Firewall> Profiles> Add

Profile name: test Profile Type: Web Application (HTML)

3. Modify the new Profile configuration:

Because no block request is required for the test phase, you only need to record the hit log.

4. Create a Policy:

Application Firewall> Policies

About the Configuration Policy, netsclaer is too unfriendly. There is no instruction document and no template.

Here, I configure to capture POST and GET packets for all http requests.

5. Apply Policy

Application Firewall> Policies

Preliminary Test of Defense Capability

Find 1 XSS vulnerability page

Http: // ip/topic. php? Tid = 214607% 27and % 201 = 1 test SQL defense

Http: // ip/topic. php? Tid = 214607% 22% 3E % 3 CsCrIpT % 3 Ealert % 2868117% 29% 3C/sCrIpT % 3E test XSS defense

We can find that all the above simple probes are blocked. This is just a simple keyword capture. Because no data packet is block, the false positive rate does not need to be tested.

Performance overhead:

Test Tool AB:

Req concurrent CPU Mem management CPU

0 0 0.1% 26.87% 1%

1000 200 1%-2.5% 26.88% 0.7%

No policy applied'

1000 200 0.2% 26.88% 0.7%

Similar to: the main application's netsclaer 15000 connections, and the Configuration Policy's CPU performance overhead is too high. It is not recommended to enable this function.

Conclusion: netsclaer application firewall implements simple application firewall functions, which can defend against General initial detection, but has a high performance overhead. If it is used together with the application layer load balancing, it is not recommended to enable it.